Allan Friedman, Ph.D with CISA
On this week's Industrial Talk we're onsite at IoT Solutions World Congress and talking to Allan Friedman, Ph.D, Senior Advisor and Strategist with CISA about “SBOM – Software Bill of Materials”. Learn about SBOM information along with Allan's unique insight into the cyber security technology on this Industrial Talk interview!
Finally, get your exclusive free access to the Industrial Academy and a series on “Why You Need To Podcast” for Greater Success in 2023. All links designed for keeping you current in this rapidly changing Industrial Market. Learn! Grow! Enjoy!
ALLAN FRIEDMAN'S CONTACT INFORMATION:
Personal LinkedIn: https://www.linkedin.com/in/allanafriedman/
Company LinkedIn: https://www.linkedin.com/company/cisagov/
Company Website: https://www.cisa.gov/
PODCAST VIDEO:
THE STRATEGIC REASON “WHY YOU NEED TO PODCAST”:
OTHER GREAT INDUSTRIAL RESOURCES:
NEOM: https://www.neom.com/en-us
Hexagon: https://hexagon.com/
Arduino: https://www.arduino.cc/
Fictiv: https://www.fictiv.com/
Hitachi Vantara: https://www.hitachivantara.com/en-us/home.html
Industrial Marketing Solutions: https://industrialtalk.com/industrial-marketing/
Industrial Academy: https://industrialtalk.com/industrial-academy/
Industrial Dojo: https://industrialtalk.com/industrial_dojo/
We the 15: https://www.wethe15.org/
YOUR INDUSTRIAL DIGITAL TOOLBOX:
LifterLMS: Get One Month Free for $1 – https://lifterlms.com/
Active Campaign: Active Campaign Link
Social Jukebox: https://www.socialjukebox.com/
Industrial Academy (One Month Free Access And One Free License For Future Industrial Leader):
Business Beatitude the Book
Do you desire a more joy-filled, deeply-enduring sense of accomplishment and success? Live your business the way you want to live with the BUSINESS BEATITUDES…The Bridge connecting sacrifice to success. YOU NEED THE BUSINESS BEATITUDES!
TAP INTO YOUR INDUSTRIAL SOUL, RESERVE YOUR COPY NOW! BE BOLD. BE BRAVE. DARE GREATLY AND CHANGE THE WORLD. GET THE BUSINESS BEATITUDES!
Reserve My Copy and My 25% Discount
Transcript
Welcome to the industrial talk podcast with Scott Mackenzie. Scott is a passionate industry professional dedicated to transferring cutting edge industry focused innovations and trends while highlighting the men and women who keep the world moving. So put on your hard hat, grab your work boots, and let's go.
ere in Barcelona, and this is:No one else was doing it. So I think
no one. Nope. They are. But it's always interesting. Allan, it's it's like one of those conversations you have to happen. Nobody really wants to have it. Sometimes it's like, I'm just I'm, uh, I'm on the manufacturing floor. Do I have to have this conversation? And it's always so difficult for me to understand.
And who would want to attack little old me?
Who would want to attack? Look? I'm gonna put that down on the old bumper sticker because they do. It's true. And it's yeah, it's okay. Before we get into it, give us a little background on who Allan is.
I'm a failed professor who got suckered into joining government. My background is in, in tech encryption and a number of other tech things. But my PhD is in Applied Economics. And so a lot of what we do at CISA is thinking about how do we actually changed the world not just proposing technical solutions, but telling a story about how we get those into the world.
So you can't just leave that there. Acronym CISA. What does that stand for?
Cybersecurity and Infrastructure Security Agency, we are the United States government's lead cybersecurity agency. And we both work across the US government, but more importantly, with the private sector to make it easier and cheaper to defend ourselves.
So back to what you said in your intro, and it was making the world better making. How do you explain just expand upon that? What does that mean? Sure.
Well, cybersecurity covers a huge range of topics. And it covers everything from workforce, how do we make sure that we have a couple more generations of people who want to do it? By the way, quick plug, cybersecurity has massive negative unemployment. So if anyone is advising young people, or if you're contemplating a career, change yourself, it's not too late to get involved. And Cisco is hiring. I hope that's where the government so hopefully, that is, okay.
We're a podcast, which is absolutely fine plug.
And but there's a lot of discussion going on. And it covers everything from the very high end. So when Russia invaded Ukraine, last year, we developed a posture called shields up to help the industrial control system, community sort of figure out, how do we make sure that we're ready for attacks that may come against Americans. And then there's a lot of more specific detailed approaches, such as maintaining lists of resources. So one thing that my team does, is we have a list of known exploited vulnerabilities. It's not just enough to know what's vulnerable. But it's saying, Hey, we know that there are bad guys who are going out in the world and trying to break into systems using these flaws. And that helps us prioritize
what I always, I'm always dazzled by, it always seems like, the cyber side of the world is always reactive, not not you, but the business. I have to react because I was breached or whatever it might be, but there's a reactive Is there a way of becoming proactive? Like, hey, we see you out there. That's.
So there's a buzzword in industry called shifting to the left, right, we have a imagine you've got a boom, right? This is something from military that operations world has sort of model, which is to say, the things that are happening after the boom, those are important, and we need to have good processes. But what we really want to do is shift to the left of boom to make sure that we're prepared. And there are two ways we can do that. One is fixing things now. And then the other is to make sure that we have a posture to respond quickly. When something bad Bad habits. And that's this magical resilience
seat, you brought up a couple of really, one, there is such an education component that it's a people, right? It's a people conversation. So that that would be the left side, trying to educate and keep on educating, because I don't know. But that speed, that speed is huge. To compress it.
And by the way, it's also a cost thing, right? If you have the processes in place, if you have the people in place, if you've done your preparation, if you have good data and good visibility, then when the inevitable bad thing does happen, or maybe it just, Hey, be prepared for this new bad thing that could happen, it's going to be so much cheaper. And and it's something that you're not going to have to panic and spend too much money on.
See, that's brilliant. And, and I know that
I'll take being brilliant any day, thank you. You're
brilliant. It's brilliant. Go for it. But it's let's put it this way. If I'm if I have a business. And I see all these this document, I don't even know if I'm reading this documentation, and I hear what you're saying, I want to be left a booth. I want to do everything I can to be left to boom, and I hear its people. I hear its processes. I understand all that. It's overwhelming. And don't tell me to go out to you know.gov and pull down some Cisco document and they have me understand what it means. Where do I go?
You know, part of the Challenges right cybersecurity, right now, visit cisco.com. And there are a lot of resources out there first is of course, use one of the many cybersecurity cliches out there, don't try to eat the whole elephant, right, there are different things that we're trying to focus on today. And there are real resources out there for ot security, it from CISA, my press team is going to be very sad that I can't rattle off that URL off the top of my head. But since it does, if you load our brand new cisco.gov web page, there are going to be a lot of links that will help you sort of figure out how to get started. But more importantly, if you're just the cybersecurity person. That's that for everything, then we've got a lot of problems, right, which is to say, you're not going to be able to eat the whole elephant. No, you're not. And so but there are going to be some priorities, one of them is going to be to start with the NIST cybersecurity framework. Acronym decorative. Thank you. Yes, NIST is the National Institute for Standards and Technology. They're a colleague of ours in the US government, they're based in the Department of Commerce. So that's the first point. They're here to help businesses. That's great. And one of the things they do is they help you start to think about it. And there are five categories that are in the NIST framework. List them the identify, protect, defend, respond, recover. Okay, so those are five buckets, got it. And each of those has some further advice. So that's, that's if you're starting your cybersecurity journey, that's one of the key pieces. And then as you mature, there's a lot more things that we should be paying attention to. So one of the things that I personally spend a lot of time thinking about is the supply chain of our software.
CIO, I had a conversation about that. And it, it just blew my mind because you're just going, Oh, I get the supply chain of, you know, this mic going from here, A to B eight is you know where it is. But then when we start talking about the supply chain of, of the, this, this, the software it's like, again, stopped thinking
well, so in software is not hewn out of alabaster, marble by tonsured, monks and Greek islands, right, it's assembled. So we're,
well done. It's
supply chains since the late:see. I heard somebody talking about island hopping. Yeah, how about that? I know about island hopping and it scared me to death.
He's well and part of the focus of why are we talking about supply chain now. And one of them is just because it took us a long time to sort of get into this focus across the entire software world. And to, there is now software in everything right? No one in the world is using a passive process. Without software, we're all dependent on it. And the final piece is, attackers are starting to go after the supply chain. And that's a good thing. It's a good thing, because it means that the front door is getting better defended. Oh, so not everything, there's still a lot of insecure software out there. But people who make software are starting to pay attention to making sure that they don't have as many vulnerabilities and that it's harder to for the bad guys to exploit it, whether it's criminal gangs, or national adversaries trying to hurt national interest everywhere around the world. So the vision is to say, let's start with transparency, you need to know what you have, and what that's based on. Now, we use a turn, again, from industry from manufacturing, called a bill of materials. But today we talk about a software bill of materials or
continue. So I'm enjoying this conversation.
So what is an Esbat? An SBOM is the dependency graph. It's like a tree. My product is based on these software components. Maybe they're open source, maybe they're licensed or proprietary, that's fine, or the one is good. Those in turn, use other pieces of software. So you have a big bridge where this relies on this, which relies on this, which relies on this. And once you have that data, right, the vision is not to create regulations saying you can do this, you can't use that. It's about saying, Let's track what we have. And then different organizations can focus on different kinds of risks. So for example, if you're about to buy a big new software project for your company, are a big new of operational technology that's built on software. Wouldn't you want to know if what you're buying has vulnerabilities already in it? Right? You say? Well, I'm about to spend his money. I'm gonna ask some questions. Yeah. So that transparency, allows organizations to start saying, let's ask questions. So one, one thing is, why would you buy from someone who didn't know what they have? Right? Would you go to the store and get?
Yeah, absolutely. You're right.
I like the example of a packet of Twinkies. I go to the store and buy Twinkies, it's gonna come with a list of ingredients. Why don't we expect the same level as delicious ingredients? Why don't we expect the same level of transparency that we asked from a non-biodegradable snack for our critical infrastructure. And that's the vision that we're trying to advance, which is, hey, let's get used to that. Now, let's go back to that Twinkie example. Because knowing that list of ingredients won't magically keep you on your diet, it won't by itself, protect your family from something that they're allergic to. But good luck doing any of those things without that list of ingredients. So transparency enables better risk management.
See, all I want, because I just give me the starting line. And I needed, I needed in consumable chunks. And, and, and not big syllable words that I don't know about. And it's just, but I think that's where the success if you can simplify to the, to the best of your ability, a very complex subject, I think you guys have something and I like that I like where you're going with that
we're trying to get there. Now we're trying to make this apply to literally all software on the planet. Because we all use the same underlying components, we all use the same open source, but that means meeting the needs of a lot of different communities. And so that's what I like to do to sort of engage with the OT world and the manufacturing world and the industrial control system world is what are the challenges that we face in those domains, that maybe the fancy high tech software companies don't. And that's why we at CES search are trying to build this global effort. But it's not just Americans. We were participants in this discussion around the world.
It has to be I have that question all the time. It's like, Hey, I found something right over here. And then then what do you do with it? It benefits the community, whatever that is, to know about it, like it's bad.
is entering regulation. So in:Yeah, I, good thumbs up.
And we're also seeing this. So if anyone out there is in the medical device space, right, that's the FDA, which regulates medical devices, is saying anything that you want to sell anything that you want to put on the market new, gonna have to have an SBOM, you gotta make sure that you have it. So. And since we're here in Barcelona, the European Commission has said they propose something called the cyber resiliency Act says everything that's going to be sold in the European Union, take place is going to, you're going to have to have an SBOM to give to your regulator.
You are great. I don't know if I'm, I don't know where to go now. But still, there's a lot of lot of stuff. I'm glad people like you, and others do this. I mean, I look at it strictly from a from a perspective that you're really trying to help protect business. And it's just business.
Well, thank you. I'm really happy to be here, we have to be able to tell a story of what change looks like and how do we make the world?
Awesome. How did they get a hold of you? Help us be the best way?
Please? Email SBOM@CISA.DHS.gov.
We're gonna have, we're gonna have that email out there. And industrial talk. Allan, you were fantastic. Thanks so much for having me. Once again, we're here at IoT Solutions World Congress 23. You need to put this on your calendar. It is a great event. You get people like Allan, he's pretty cool. You get to talk to him. Yeah, you want that? Reach out to him. All right, we're gonna wrap it up on the other side. Thank you very much for joining. We will be right back.
You're listening to the industrial talk Podcast Network.
your bucket list to attend in: